The UK/US and European approaches to the protection of personal data constitute a certain number of fundamental differences. Despite everything, a movement towards a harmonization of points of view seems to have begun in recent years.
In terms of personal data, the European and UK/US conceptions (in the forefront of which is the American conception) diverge on many points. Thus, one of the biggest differences between the European and American approaches concerns the commercial nature or not of personal data.
“In the United States, certain data – for example data collected by hospitals or by banks – enjoys high protection. But outside these protected areas, companies are free to exploit data as long as the companies do not commit an ‘unfair practice’. In Europe, personal data is attached to a fundamental right. Any exploitation of data constitutes a potential violation of a fundamental right, and must be justified by a legitimate interest, consent, the performance of a contract, etc. “, explains Winston J. Maxwell, currently Director of Law and Digital Studies at Télécom Paris, in a note published when he was a Partner at the law firm Hogan Lovells.
In the United States, a superposition of “common law” (at the level of each State) and federal laws
In the USA, the “common law” of each State recognizes a right to the protection of privacy with regard to private actors. In addition to these state-specific rules, the United States has federal laws to protect personal data in certain areas. “The first major law on the protection of personal data concerned data processing carried out by the federal government. The Privacy Act of 1974 establishes rules on the processing of personal data collected by the various branches of government,” recalls Winston J. Maxwell.
After the Privacy Act of 1974, the federal legislator developed a series of laws aimed at the protection of personal data in the private sector: HIPAA (Health Insurance Portability and Accountability Act) for the protection of health data, GLBA (Gramm- Leach-Bliley Act) for financial data, COPPA (Children’s Online Privacy Protection Act) for the protection of data concerning children, FCRA (Fair Credit Reporting Act) aimed at regulating the creditworthiness profiles of individuals, ECPA (Electronic Communications Privacy Act) ) for telecommunications data, “Can-SPAM” Act for the prohibition of commercial messages…
“Some of these laws are as protective as European laws, even if their scope is more limited. In addition to these federal laws, each of the American states has adopted laws aimed at protecting certain aspects of the privacy of their citizens. The State of California has notably adopted a law protecting personal data in the context of websites, as well as a law granting the right to erasure to minor users of social networks”, notes Winston J. Maxwell.
A comprehensive European approach
The set of American laws constitutes a rather heterogeneous patchwork which contrasts sharply with the overall European approach. “The Council of Europe, founded in 1949, has developed a global approach to privacy which aims to be comprehensive. This was adopted following the Second World War, when countless horrors shook the whole world,” comments Stephan Grynwajc, founder of the law firm S. Grynwajc, in an analysis published on the transatlantic-lawyer.com website.
“More recently, the adoption of GDPR, which aims to provide European residents with global and universal protection of personal data, reinforces this approach. GDPR transcends industries and areas of use of personal data and covers any processing of personal data, by any means. (…) This comprehensive approach is supposed to grant full and robust protection to the fundamental rights and freedoms of EU citizens and residents,” continues Stephan Grynwajc.
This global approach implemented by the Europeans has also prompted the US Department of Commerce to successively conclude the “Safe Harbor” in 2000 and the “Privacy Shield” in 2016 with the European Commission to regulate the transfer of personal data from the European Union to United States.
Towards a harmonization of practices?
Even though “Safe Harbor” was invalidated by the “Schrems” judgment of the Court of Justice of the European Union in 2015 and the “Privacy Shield” was also invalidated by this same European Court in 2020, Ursula von der Leyen, the President of the European Commission, and Joe Biden, the American President, announced in March 2022 a political agreement aimed at creating a new framework for international data transfers.
“We have managed to strike a balance between security and the right to privacy and data protection. We have reached an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and the United States, while safeguarding privacy and civil liberties,” said the Commission President on this occasion.
In the wake of this agreement, the European Commission launched a process at the end of 2022 to adopt the adequacy decision concerning the data protection framework between Europe and the United States. An adequacy decision is a process under Article 45 of GDPR. It authorizes the transfer of personal data from the EU to a third country, with the same level of protection.
In order to avoid the previous failures (invalidation of the “Safe Harbor” and the “Privacy Shield”), the European Commission highlights that the new framework on the transfer of personal data will include a number of changes: a limitation of access – for US intelligence services – to European data strictly necessary to ensure national security and a right to compensation for European citizens in relation to the collection and use of their data by US intelligence services. We bet that these new provisions will finally make it possible to create a harmonious, and above all effective, context for the protection of personal data between the two continents.